In 2014, the National Institute of Standards and Technology (NIST) released its Cybersecurity Framework. Initially intended for operators of critical infrastructure, it has since proven flexible enough for use in large and small organizations across all economic sectors. In April 2018, NIST released version 1.1. of this framework which updated its recommendations on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure. However, with so many other security frameworks available, what are the benefits of using this particular framework and how should you implement it?
It is important to note that the framework is designed to complement, and not replace, any existing cybersecurity or risk management programs in your business. One of the founding principles of the NIST Cybersecurity Framework is that you must customize and adapt it to meet your organization’s unique needs. Utilizing it as a checklist to measure specific processes or activities is not its intention. Pairing it with other regulatory compliance standards is the intended approach. Although it is a voluntary framework, US Presidential Executive Order 13800 signed in May 2017, requires all federal agencies to use it. This edict means if your organization conducts any business with these entities, aligning to specific recommendations described in the framework may well be a requirement.
The Three Components of the NIST Cybersecurity Framework
The NIST Cybersecurity Framework has three distinct components, the core, tiers, and profiles.
The framework core consists of five functions which are:
The key to a successful implementation requires an organization’s leadership to understand and embrace these five functions and their associated concepts. These consist of multiple categories, subcategories, outcomes, and controls which include items ranging from asset management and governance to recovery planning and communication. For a detailed breakdown of the core and all its informative references, NIST provides various downloadable artifacts including this handy version in Excel format.
The primary purpose of the framework tiers is to provide a structure for your business to determine your approach to managing cybersecurity risk. There are four different tier levels described in the framework.
Some may view this tiering score as a capability rating one may find in several maturity models.
However, the central premise of the NIST Cybersecurity framework is adaptability. Instead of trying to achieve the highest tier rating possible, organizations must take their unique requirements and constraints into account and apply the tiering concept accordingly. For example, if your business has a limited cybersecurity budget, trying to achieve an “adaptive” rating for every category is not feasible. Instead, you must take your particular business, industry, and risk profile into account and apply the tiering principles to each class and measure the potential cybersecurity risk your organization faces.
Profiles provide the customization needed which ensures that the framework maximizes business value. NIST provides a seven-step process which you can use to create your organization’s cybersecurity profile. It achieves this by taking your core fundamentals and tier rating into account. This technique involves a continuous feedback loop which starts with prioritizing and scoping your cybersecurity risk and concludes with the creation of an implementation plan. The rest of the seven steps include creating a current profile, conducting a risk assessment, developing a target profile, and then determining, analyzing, and prioritizing the gaps.
Complement Your Existing Cybersecurity Solutions
Today’s modern organizations face multiple cybersecurity risks which are exponentially increasing in both scale and sophistication. The dependency businesses have on technology, which has transformed every facet of the way they function and communicate, means that any cybersecurity incident has the potential to impact their ability to operate.
Mitigating these risks requires a proactive, distributed approach which involves every member of the organization. The NIST Cybersecurity Framework is a tool which does just that. It provides a framework core which outlines:
An adaptive tiering process which helps you determine your organization’s level of maturity while taking its unique requirements into account
Profiles which help you prioritize the implementation of relevant measures following a gap analysis
Keep the Following Dos and Don’ts in Mind
The NIST Cybersecurity Framework is meant to complement your existing cybersecurity solutions, so it is essential to use it as a guiding framework. Keep the following in mind:
It is not a checklist - Its primary purpose is to complement existing cybersecurity standards and provide you with flexibility taking the unique needs of your business into account.
Involve the entire organization - Your organization’s leadership must understand and embrace the five core functions.
Tiering is not a maturity model - Achieving the highest tier rating possible is not the goal. You must take your requirements and constraints into account and adopt the framework to your unique business needs.
Conducting a risk assessment is a crucial action in creating your profile - Without a baseline evaluation, you cannot develop your target profile and determine the gaps in your cybersecurity.
Essentially the key to using the NIST Cybersecurity Framework is that you need to mold the framework to your unique business conditions. Using it as a compliance checklist is not the intention. You do not need to implement every factor and achieve every benchmark.